[PATCH] Patches required for POSIX ACL support of GPOs

Andrew Bartlett abartlet at samba.org
Wed May 9 19:38:48 MDT 2012 

These patches are in my master-devel branch, and are needed for GPO
support to create the correct POSIX ACL.  I would very much appreciate
review, so we can consider enabling s3fs by default, and making the 4.0
Beta release.

https://git.samba.org/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/master-devel

commit caa318ea1b9346778e564ed6a67449e02d5a6d6c
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Wed May 9 12:11:45 2012 +1000

    s3-smbd: Do not merge UID ACE values with GID ACE values for posix ACL
    
    This might happen when we get a SID mapped to IDMAP_BOTH.
    
    Andrew Bartlett

commit 52cf66b11cac3f4f8717a4b3a9fe91088cdc1659
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Thu May 10 09:16:51 2012 +1000

    s3-smbd: Also consider a matching SID when making up owning user permissions
    
    This covers a case where an IDMAP_BOTH mapping creates group permissions, but must own
    the file.
    
    Andrew Bartlett

commit 80c5c407517671040ffc4ddfa7a52adf1c8b5dd2
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Thu May 3 11:07:58 2012 +1000

    s3-posix_acls: Add helper function add_current_ace_to_acl for IDMAP_BOTH support
    
    We need to split things up into a new helper function
    add_current_ace_to_acl() in order for there to be more posix ACL
    elements than NT ACL elements (so a group SID can own a file, but also
    get the group permissions that will be honoured)
    
    Andrew Bartlett

commit ea323ef2bd1555405885b2be71b55f4e5074f56e
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Thu May 10 10:10:38 2012 +1000

    s3-smbd: Handle IDMAP_BOTH by mapping to both a group ACL entry and file ownership
    
    This will allow groups, such as domain administrators, to own files
    while correctly handling the rest of the ACL permissions.
    
    Andrew Bartlett

This patch is needed for the same idea, in the NFSv4 ACL code.  It removes the sidmap as discussed, but I can't test it.

commit 5193b7f00181831c3d631e8b6f88cd3b783fd577
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Mon May 7 08:48:24 2012 +1000

    s3-nfs4acls: Remove lookup_sid and sidmap from NFSv4 ACL mapping and check gid first
    
    By checking just the IDMAP, and by removing the sidmap and lookup_sid calls, we support
    IDMAP_BOTH.  This is because by checking for a mapping to a GID first, we can rely on
    the fact that IDMAP_BOTH will resolve to a GID.
    
    If the sidmap idea is valued - it allows multiple SIDs to map to a single unix ID, this should
    be done in the IDMAP layer.
    
    Andrew Bartlett


This came up when looking over the debug logs while fixing another bug,
but I think is worthwhile.  It isn't strictly required, but avoids going
via NSS to build the fake token. 

commit abf6ca1c560e1bec5656d830c61227cfb8af6133
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Thu May 10 09:19:46 2012 +1000

    s3-smbd: Create a shortcut for building the token of a user by SID for posix_acls
    
    When a user owns a file, but does not have specific permissions on that file, we need to
    make up the user permissions.  This change ensures that the first thing that we do
    is to look up the SID, and confirm it is a user.  Then, we avoid the getpwnam()
    and directly create the token via the SID.
    
    Andrew Bartlett


These two patches avoid creating a UID ACE when we are working with an owning group, for the file ACL. 

commit 21b9371732b65ecc341fe2f810942011982f8bd2
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Thu May 10 11:05:41 2012 +1000

    s3-smbd: Consider a group with the same SID as sufficient duplication
    
    This code is to ensure that the user does not loose rights when their file
    ownership is taken away.  If the owner (an IDMAP_BOTH SID) appears as a group
    then a duplicate user is not required.

commit 5b163cc42173f142c46d8296cf3c9d0dc52c3bd9
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Thu May 10 11:18:04 2012 +1000

    s3-smbd: Avoid creating a UID ACL entry for SIDs that are mapped as IDMAP_BOTH
    
    The GID ACL entry is what will be mapped in most cases, and so is sufficient.
    
    Andrew Bartlett


The end result is an ACL like this below.  The only remaining issue is
that we should not create a user: entry (SMB_ACL_USER) for the owning
group in the default acl.  The code assumes this is required if a
SMB_ACL_USER_OBJ is created, but this is from when only users could own
files, as owning groups will never match on this.  It is additionally
only triggered in the default acl case, due to the way the priority for
Creator User is handled.

getfacl: Removing leading '/' from absolute path names
# file:
data/samba/samba4/prefix/var/locks/sysvol/s4.obed.abartlet.net/Policies/{EDCD016E-C4A0-412E-A503-76F832AFDD46}
# owner: 3000007
# group: 3000007
user::rwx
group::rwx
group:3000002:r-x
group:3000005:rwx
group:3000007:rwx
group:3000066:rwx
group:3000067:r-x
mask::rwx
other::---
default:user::rwx
default:user:3000007:rwx
default:group::---
default:group:3000002:r-x
default:group:3000005:rwx
default:group:3000007:rwx
default:group:3000066:rwx
default:group:3000067:r-x
default:mask::rwx
default:other::---


Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list